There is a staggering growth of endpoint mobile devices and cloud services in enterprises. With this influx, Information Technology (IT) administrators can no longer ignore these devices as simply outside their scope of responsibility. Access to sensitive corporate resources has been traditionally limited by role-based access controls implemented through on-premise Virtual Private Networks (VPNs) where any user with appropriate rights can access corporate resources using any application. In role-based access controls, users are categorized into groups and resource access is evaluated by the permissions on that group. Resource access is then a function of the permissions on the user group only and not on the ways that the user employs to access that resource. Historically, the number of ways a user can access data had been severely limited due to scarcity of such applications and the level of control that the IT admin had over lockdown on premise desktop systems where users had limited privileges to install or remove software.
With the advent of cloud, mobility, and BYOD (bring your own devices), there has been a growth in mobile applications that affords the end user with a variety of choices in accessing corporate resources such as third party browsers, mail-clients, file sharing apps, etc. This poses severe security risks where a user inadvertently may use a malicious application to access sensitive corporate information. A malicious application, for example, may then use such corporate information in nefarious ways such as by caching or transmitting data over network to a server. In the past, an antivirus was used to black/white list applications and to remove such software from the system, however this fails to capture the correspondence between the nature of resource and the application requesting the resource. For instance, a user may continue to use any browser for private Internet access but must use a secure web browser that conforms to enterprise security policies to access internal corporate resources.
In conventional, non-mobile environments, IT admins have full control over the systems which are totally lockdown to prevent installation of illegitimate software or removal of legitimate ones. However, with the changing landscape, end users have sufficient control to access corporate resources from any application, device, network, or geography with a VPN application. Such risks can be avoided with proper access control restrictions on the applications that a user can use to access network resources.